Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1xangzLTJnMzUtNmh2OM4AA69Z
Mautic Sensitive Data Exposure due to inadequate user permission settings
Impact
Prior to the patched version, logged in users of Mautic are able to access areas of the application that they should be prevented from accessing.
Users could potentially access sensitive data such as names and surnames, company names and stage names.
Patches
Update to 4.4.12 and 5.0.4
Workarounds
No
References
https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure
Permalink: https://github.com/advisories/GHSA-qjx3-2g35-6hv8JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1xangzLTJnMzUtNmh2OM4AA69Z
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 21 days ago
Updated: 21 days ago
CVSS Score: 8.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H
Identifiers: GHSA-qjx3-2g35-6hv8, CVE-2022-25776
References:
- https://github.com/mautic/mautic/security/advisories/GHSA-qjx3-2g35-6hv8
- https://github.com/mautic/mautic/commit/22bdd0796ca6e1e985708b89ad5c07147630fecd
- https://github.com/mautic/mautic/commit/2cc4af975fe01c264d439acc1451c936e7114644
- https://github.com/advisories/GHSA-qjx3-2g35-6hv8
Blast Radius: 4.0
Affected Packages
packagist:mautic/core
Dependent packages: 2Dependent repositories: 3
Downloads: 1,952 total
Affected Version Ranges: >= 5.0.0-alpha, < 5.0.4, >= 1.0.2, < 4.4.12
Fixed in: 5.0.4, 4.4.12
All affected versions: 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.3.0, 2.4.0, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.7.0, 2.7.1, 2.8.0, 2.8.1, 2.8.2, 2.9.0, 2.9.1, 2.9.2, 2.10.0, 2.10.1, 2.11.0, 2.12.0, 2.12.1, 2.12.2, 2.13.0, 2.13.1, 2.14.0, 2.14.1, 2.14.2, 2.15.0, 2.15.1, 2.15.2, 2.15.3, 2.16.0, 2.16.1, 2.16.2, 2.16.3, 2.16.4, 2.16.5, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.1.2, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 4.0.0, 4.0.1, 4.0.2, 4.1.0, 4.1.1, 4.1.2, 4.2.0, 4.2.1, 4.2.2, 4.3.0, 4.3.1, 4.4.0, 4.4.1, 4.4.2, 4.4.3, 4.4.4, 4.4.5, 4.4.6, 4.4.7, 4.4.8, 4.4.9, 4.4.10, 4.4.11, 5.0.0, 5.0.0-alpha, 5.0.0-alpha1, 5.0.0-beta1, 5.0.0-beta2, 5.0.0-rc1, 5.0.0-rc2, 5.0.1, 5.0.2, 5.0.3
All unaffected versions: 1.0.0, 1.0.1, 4.4.12, 5.0.4